On Tue, Jun 19, 2007 at 04:48:15PM -0400, Rob Campbell wrote: > > Just curious if this is a known issue or something that is out of > your control. > I noticed that some of the flows in my pcaps have nowhere near the > expected number of packets after separating an individual flow using > editcap. > > ie. editcap -r /pub/mypcap.pcap /pub/mysubcap.pcap 1-3 6-7 12-14 15-16 > 20-40 etc. etc. > > I have several pcaps I am analyzing that have flows that have 6000+ > packets, but they very spread out across the pcap resulting in only > sets of 2-10 packets together.
How do you select these packet-ranges? Can't they be selected by a display-filter? If they can, you could use the following syntax to create the capture file which contains only the packets of interest: tshark -r <infile> -w <outfile> -R <display filter> > I did some experimenting and the problem seems to lie in that editcap > seems to only read the first 100 arguments (be it individual packet > numbers or sets of packet numbers). > > Is this limit intentional or can it be removed? Is this a unix/linux > limitation? This is intentional, the following is from editcap.c: static struct select_item selectfrm[100]; It means that there is only room for 100 "select-items". How many would you need for your purpose? It might be changed in the source code? Personally I think a hundred items should be sufficient, because if I need to enter that many packet-ranges, I would try to find some other way of selecting the packets needed (like the command above). Hope this helps, Cheers, Sake _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
